topic Talk standards to me... Oauth 2.1 draft released in Tech Talk https://community.isc2.org/t5/Tech-Talk/Talk-standards-to-me-Oauth-2-1-draft-released/m-p/34976#M2596 <P data-unlink="true">We have a new IETF&nbsp;<A href="https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01" target="_blank" rel="noopener">draft</A> for OAuth v2.1, Authorization Framework. It's not radically different from 2.0, but does have the latest security best practices built-in by design. Aaron Parecki had<SPAN>&nbsp;</SPAN>a great <A href="https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1" target="_blank" rel="noopener">blog</A> post&nbsp;explaining the rationale behind the update.</P><P data-unlink="true">&nbsp;</P><P>The main changes for your dev teams to be aware of are:</P><P>&nbsp;</P><UL><LI>Proof Key for Code Exchange (PKCE) is now required for authorization code grant.</LI><LI>Exact matching is required for redirect URIs.</LI><LI>Refresh tokens are now sender-constrained or one-time use only.</LI><LI>Implicit grant and Resource Owner Password Credentials grant have been removed.</LI><LI>Bearer tokens in query parameters are no longer allowed.</LI></UL><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Image by Aaron Parecki." style="width: 400px;"><img src="https://community.isc2.org/t5/image/serverpage/image-id/4034iB45E64B082C7973A/image-size/medium?v=v2&amp;px=400" role="button" title="oauth-maze.png" alt="Image by Aaron Parecki." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image by Aaron Parecki.</span></span></P><P>&nbsp;</P> Mon, 09 Oct 2023 09:30:07 GMT AppDefects 2023-10-09T09:30:07Z Talk standards to me... Oauth 2.1 draft released https://community.isc2.org/t5/Tech-Talk/Talk-standards-to-me-Oauth-2-1-draft-released/m-p/34976#M2596 <P data-unlink="true">We have a new IETF&nbsp;<A href="https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01" target="_blank" rel="noopener">draft</A> for OAuth v2.1, Authorization Framework. It's not radically different from 2.0, but does have the latest security best practices built-in by design. Aaron Parecki had<SPAN>&nbsp;</SPAN>a great <A href="https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1" target="_blank" rel="noopener">blog</A> post&nbsp;explaining the rationale behind the update.</P><P data-unlink="true">&nbsp;</P><P>The main changes for your dev teams to be aware of are:</P><P>&nbsp;</P><UL><LI>Proof Key for Code Exchange (PKCE) is now required for authorization code grant.</LI><LI>Exact matching is required for redirect URIs.</LI><LI>Refresh tokens are now sender-constrained or one-time use only.</LI><LI>Implicit grant and Resource Owner Password Credentials grant have been removed.</LI><LI>Bearer tokens in query parameters are no longer allowed.</LI></UL><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Image by Aaron Parecki." style="width: 400px;"><img src="https://community.isc2.org/t5/image/serverpage/image-id/4034iB45E64B082C7973A/image-size/medium?v=v2&amp;px=400" role="button" title="oauth-maze.png" alt="Image by Aaron Parecki." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image by Aaron Parecki.</span></span></P><P>&nbsp;</P> Mon, 09 Oct 2023 09:30:07 GMT https://community.isc2.org/t5/Tech-Talk/Talk-standards-to-me-Oauth-2-1-draft-released/m-p/34976#M2596 AppDefects 2023-10-09T09:30:07Z